[Active Directory] IPv6 DNS takeover via MItM

IPv6 DNS Takeover Overview

  1. This attack attempts a DNS takeover in a network via IPv6 using mitm6, which listens for ipv6 DNS requests, spoofs the DNS reply and passes it to ntlmrelayx.
  2. Ntlmrelayx captures NTLM credentials obtained through a fake WPAD proxy and relays them to an authentication service.
  3. Once it succeeds in authentication, it dumps the domain information. This attack can be built upon to get all the NTLM hashes from the domain.

All Windows versions since Windows Vista (including server variants) have IPv6 enabled and prefer it over IPv4. By default, every Windows machine since Windows Vista will request this configuration regularly.

Attack Requirements

  • Domain Name
  • IP address of Domain Controller
  • Tools: mitm6 & Impacket-ntlmrelayx
  • IPv6 DNS request on the network
  • User with privileges

Warning: Run it during short timeframes, and during specific hours like Start of shift, right after lunch, when users turn on their laptops and log in again

The mitm6 attack

Attack phase 1 – Primary DNS takeover

mitm6 starts with listening on the primary interface of the attacker machine for Windows clients requesting an IPv6 configuration via DHCPv6. This can be seen in a packet capture from Wireshark:

  • DHCPv6 Solicit
  • DHCPv6 Advertise
  • DHCPv6 Request
  • DHCPv6 Reply

mitm6 will reply to those DHCPv6 requests, assigning the victim an IPv6 address within the link-local range. While in an actual IPv6 network these addresses are auto-assigned by the hosts themselves and do not need to be configured by a DHCP server, this gives us the opportunity to set the attackers IP as the default IPv6 DNS server for the victims.

mitm6 does not advertise itself as a gateway, and thus hosts will not actually attempt to communicate with IPv6 hosts outside their local network segment or VLAN.

Attack phase 2 – DNS spoofing

On the victim machine we see that our server is configured as DNS server. Due to the preference of Windows regarding IP protocols, the IPv6 DNS server will be preferred over the IPv4 DNS server. The IPv6 DNS server will be used to query both for A (IPv4) and AAAA (IPv6) records.

Once the attacker has control of the DNS requests, they can utilize them to carry out a variety of attacks. For instance, they might divert traffic intended for a legitimate website to a phony version of the same site that is intended to steal sensitive data like login credentials.

Attack phase 3 – Attacking WPAD (MS16-077)

WPAD simplifies proxy configuration by dynamically providing settings based on network conditions.

  1. Clients use DHCP and/or DNS to find a web server on your network that hosts the wpad.dat file.
  2. The wpad.dat file specifies rules based on URL patterns, IP addresses, and domains.
  3. If a client’s requested URL matches any rule, it follows the corresponding proxy configuration.
  4. If no rule matches, the default proxy server (specified in the wpad.dat file) is used.
  5. You can use this to set up content filtering, exceptions, and custom proxy servers1.

PAC File (wpad.dat): A special Proxy Auto Configuration (PAC) file describes rules for using a proxy. The predefined name for this file is wpad.dat

Attack phase 4 – Download the AD database

Once the wpad.dat has been served, the scripts will download domain enumeration into the specified folder.

These files include

  • Domain Computers
  • Domain Groups
  • Domain Policy
  • Domain Users

Attack phase 5 – IPv6 DNS taken over

Once, the IPv6 DNS has been taken over, if a user with sufficient privileges logs in, these scripts will attempt to add a new user within Active Directory. This user will have Enterprise Admins privileges, which can be used to perform DC Sync to the Domain Controller.

If we verify the Active directory user list, we can find this new user created

Next step would be trying a DCSync attack using these credentials.

Attack Execution

1. Find out about the domain name, by querying the domain controller

  • nmap -sC -A 192.168.0.100

2. Run the necessary services (ntlmrelayx)

  • impacket-ntlmrelayx -6 -t ldaps://DC-IP -wh <wpad_fake_name>.<domain.local> -l <folder name>
  • impacket-ntlmrelayx -6 -t ldaps://192.168.0.100 -wh fakewpad.lab.local -l lootme

3. Now run the MITM6 tool, to start spoofing the IPv6 DNS (https://github.com/dirkjanm/mitm6)

  • sudo python3 mitm6.py -d <domain>
  • sudo python3 mitm6.py -d lab.local

4. Wait for a computer to request IPv6 DNS over the network

we can host a fake WPAD for the victim, which sets the web proxy to the attacker’s IP address when queried. Now, whenever the victim uses any application that connects to the internet, it will use our machine as a proxy. Once connected, the proxy server (attacker machine) responds with an HTTP 407:Proxy Authentication required, prompting the Windows machine to send us the NTLM challenge/response. This can be relayed to different authentication services such as LDAPS, SMB or HTTP.

5. When this occurs, it means, we poisoned the remote host, now we need to wait for a user to log into this machine, once, it happens we will see “HTTPD(80): Authenticating against ldaps://192.168.0.100 as LAB/SUCHIHA SUCCEED”

After authentication ntlmrelayx performs a ldap domain dump which provides us with quite a bit of information for us. These file can be found in lootme folder which we specified when we were setting up the relay.

6. Now if an administrator tries to login to a compromised machine and it succeeds, ntlmrelayx is going to create an access control list or ACL for us and is going to set us with a new user and password, with the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privileges.

Extra: DCSync

1. Having these new credentials, we can perform a DCSync attack against the domain controller

  • impacket-secretsdump lab.local/eYcmWVhNDv:’X*}CdYk6jTk0z>V’@192.168.0.100 -just-dc

Mitigation

MITM6 attacks can be difficult to detect and prevent, as they often involve sophisticated techniques and tools. However, there are steps that organizations and individuals can take to protect against these types of attacks:

  • Disabling IPv6 if it is not used on your internal network will prevent Windows clients from querying for a DHCPv6 server thereby making it impossible to take over the DNS server.
  • Disable the Proxy Auto detection via Group Policy. If your company uses a proxy configuration file internally (PAC file) it is recommended to explicitly configure the PAC URL instead of relying on WPAD to detect it automatically.
  • In order to prevent NTLM relaying you should consider disabling it entirely and switch to Kerberos or, if that isn’t possible, you should:
  • enable SMB signing to prevent relaying to SMB by requiring all traffic to be signed
  • enable LDAP signing to prevent unsigned connections to LDAP
  • Enable extended protection for authentication which will prevent some relaying attacks by ensuring that the TLS channel used for the connection to the server is the same that the client uses when authenticating.

References

https://n1chr0x.medium.com/from-dns-to-domination-dns-takeover-demystified-with-mitm6-e9cd438d42a7

https://medium.com/@huseyin.eksi/how-to-ipv6-dns-takeover-via-mitm6-24b64dac2db5

https://redfoxsec.com/blog/ipv6-dns-takeover/

https://blog.evanricafort.com/2023/05/ipv6-dns-takeover-via-mitm6-write-up.html

https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/

https://bohansec.com/2020/10/18/AD-Attack-Lab-Part-2/

https://cheatsheet.haax.fr/windows-systems/exploitation/ipv6/

https://github.com/dirkjanm/mitm6

https://github.com/fortra/impacket/releases/tag/impacket_0_9_22

[Authenticated][Information Gathering] Manual Azure enumeration using Azure Az Powershell Module

Description

The Az PowerShell module is a set of cmdlets for managing Azure resources directly from PowerShell. PowerShell provides powerful features for automation that can be leveraged for managing your Azure resources, for example in the context of a CI/CD pipeline.

The Az PowerShell module is the replacement for AzureRM and is the recommended module to use for interacting with Azure.

Requirements

  • Account credentials

How to Use

1. Install the Powershell module

  • Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force

2. List the help menu

  • Get-Help Az

3. Connect to Azure Cloud

  • Connect-AzAccount

Note: You can also authenticate using credentials

  • $credentials = Get-Credential
  • Connect-AzAccount -Credential $credentials

4. Once logged in, you are displayed Account, SubscriptionName, TenantId, Environment

Enumerate current Context

Get-AzContext

1. This cmdlet gets the Active Directory account, Active Directory tenant, Azure subscription, and the targeted Azure environment. Azure Resource Manager cmdlets use these settings by default when making Azure Resource Manager requests.

  • Get-AzContext -ListAvailable

Get-AzSubscription

The Get-AzSubscription cmdlet gets the subscription ID, subscription name, and home tenant for subscriptions that the current account can access.

  • Get-AzSubscription

Get-AzRoleAssignment

Use the Get-AzRoleAssignment command to list all role assignments that are effective on a scope. Without any parameters, this command returns all the role assignments made under the subscription. This list can be filtered using filtering parameters for principal, role and scope.

  • Get-AzRoleAssignment

Get-AzResource

The Get-AzResource cmdlet gets Azure resources.

  • Get-AzResource

Get-AzResourceGroup

The Get-AzResourceGroup cmdlet gets Azure resource groups in the current subscription. You can get all resource groups, or specify a resource group by name or by other properties. By default, this cmdlet gets all resource groups in the current subscription. For more information about Azure resources and Azure resource groups, see the New-AzResourceGroup cmdlet.

  • Get-AzResourceGroup

Get-AzStorageAccount

The Get-AzStorageAccount cmdlet gets a specified Storage account or all of the Storage accounts in a resource group or the subscription.

  • Get-AzStorageAccount

Get-AzWebApp

The Get-AzWebApp cmdlet gets information about an Azure Web App.

  • Get-AzWebApp

Get-AzAutomationAccount

The Get-AzAutomationAccount cmdlet gets Azure Automation accounts in a resource group.

  • Get-AzAutomationAccount

Get-AzVirtualNetwork

The Get-AzVirtualNetwork cmdlet gets one or more virtual networks in a resource group.

  • Get-AzVirtualNetwork

Get-AzPublicIPAddress

The Get-AzPublicIPAddress cmdlet gets one or more public IP addresses in a resource group.

  • Get-AzPublicIPAddress

Get-AzVpnConnection

Gets a vpn connection by name or lists all vpn connections connected to a VpnGateway.

  • Get-AzVpnConnection

References

https://learn.microsoft.com/en-us/powershell/azure/new-azureps-module-az?view=azps-11.5.0

[Authenticated][Information Gathering] Manual Azure Active Directory enumeration using AzureAD Powershell Module

Description

Azure Active Directory PowerShell for Graph (Azure AD PowerShell) is a module IT Pros commonly use to manage their Azure Active Directory. The cmdlets in the Azure AD PowerShell module enable you to retrieve data from the directory, create new objects in the directory, update existing objects, remove objects, as well as configure the directory and its features.

Requirements

Authenticated account

Installation

1. In order to install AzureAD run this command

  • Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force

2. List the module’s cmdlets

  • Get-Command -Module AzureAD

3. Display cmdlet help

  • Get-Help Connect-AzureAD -Detailed
  • Get-Help <cmdlet name> -Examples
  • Get-Help <cmdlet name> -Full

Enumeration

1. Connect to the Cloud

  • Connect-AzureAD

Get-AzureADDomain

The Get-AzureADDomain cmdlet gets a domain in Azure Active Directory (AD).

  • Get-AzureADDomain

Get-AzureADUser

The Get-AzureADUser cmdlet gets a user from Azure Active Directory (AD).

  • Get-AzureADUser
  • Get-AzureADUser -Filter <String>

Get-AzureADGroup

The Get-AzureADGroup cmdlet gets a group in Azure Active Directory (AD).

  • Get-AzureADGroup

Get-AzureADDirectoryRole

The Get-AzureADDirectoryRole cmdlet gets a directory role from Azure Active Directory (AD).

  • Get-AzureADDirectoryRole

Get-AzureADDirectoryRoleMember

The Get-AzureADDirectoryRoleMember cmdlet gets the members of a directory role in Azure Active Directory (AD).

  • Get-AzureADDirectoryRoleMember -ObjectId “<object-id>”

Get-AzureADApplication

The Get-AzureADApplication cmdlet gets an Azure Active Directory application.

  • Get-AzureADApplication

Get-AzureADApplicationOwner

The Get-AzureADApplicationOwner cmdlet get an owner of an Azure Active Directory application. Using the object-id of the application (Get-AzureADApplication)

  • Get-AzureADApplicationOwner -ObjectId “<object-id>”

Get-AzureADApplicationPasswordCredential

The Get-AzureADApplicationPasswordCredential cmdlet gets the password credentials for an Azure Active Directory application. Using the object-id of the application (Get-AzureADApplication)

  • Get-AzureADApplicationPasswordCredential -ObjectId “<object-id>”

References

https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureaduser?view=azureadps-2.0

https://docs.microsoft.com/en-us/powershell/module/azuread

[Authenticated][Information Gathering] Automated Microsoft 365 Office enumeration using o365recon

Description

o365recon

Script to retrieve information via O365 and AzureAD with a valid credential. You can run it either in Windows Powershell or Linux Powershell.

Requirements

Authenticated Account

Installation

1. Install these two modules

  • Install-Module -Name MSOnline -Scope CurrentUser -Repository PSGallery -Force
  • Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force

2. Download the script into you machine

  • git clone https://github.com/nyxgeek/o365recon.git
  • cd o365recon
  • ls

How to use

Connect to the cloud

  • o365recon.ps1 -azure
  • .\o365recon.ps1 -all -outputfile result.txt

Results

It provides us with detailed information about the azure environment

References

https://github.com/nyxgeek/o365recon

[Authenticated][Information Gathering] Automated Azure Active Directory enumeration using ROADtools

Description

ROADtools (Rogue Office 365 and Azure (active) Directory tools)

ROADtools is a framework to interact with Azure AD. It consists of a library (roadlib) with common components, the ROADrecon Azure AD exploration tool and the ROADtools Token eXchange (roadtx) tool.

ROADlib

ROADlib is a library that can be used to authenticate with Azure AD or to build tools that integrate with a database containing ROADrecon data. The database model in ROADlib is automatically generated based on the metadata definition of the Azure AD internal API. ROADlib lives in the ROADtools namespace, so to import it in your scripts use

  • from roadtools.roadlib import X

ROADrecon

ROADrecon is a tool for exploring information in Azure AD from both a Red Team and Blue Team perspective. In short, this is what it does:

  • Uses an automatically generated metadata model to create an SQLAlchemy backed database on disk.
  • Use asynchronous HTTP calls in Python to dump all available information in the Azure AD graph to this database.
  • Provide plugins to query this database and output it to a useful format.
  • Provide an extensive interface built in Angular that queries the offline database directly for its analysis.
  • ROADrecon uses async Python features and is only compatible with Python 3.7 and newer (development is done with Python 3.8, tests are run with versions up to Python 3.11).

Requirements

Authenticated Account

Installation

There are multiple ways to install ROADrecon:

Using a published version on PyPi

Stable versions can be installed with pip install roadrecon. This will automatically add the roadrecon command to your PATH.

Using a version from GitHub

Every commit to master is automatically built into a release version with Azure Pipelines. This ensures that you can install the latest version of the GUI without having to install npm and all it’s dependencies. You can download the roadlib and roadrecon build files from the Azure Pipelines artifacts (click on the button “1 Published”. The build output files are stored in ROADtools.zip. You can either install the .whl or .tar.gz files directly using pip or unzip both and install the folders in the correct order (roadlib first):

  • pip install roadlib/
  • pip install roadrecon/

You can also install them in development mode with pip install -e roadlib/.

Developing the front-end

If you want to make changes to the Angular front-end, you will need to have node and npm installed. Then install the components from git:

  • git clone https://github.com/dirkjanm/roadtools.git
  • pip install -e roadlib/
  • pip install -e roadrecon/
  • cd roadrecon/frontend/
  • npm install

You can run the Angular frontend with npm start or ng serve using the Angular CLI from the roadrecon/frontend/ directory. To build the JavaScript files into ROADrecon’s dist_gui directory, run npm build

How to use

1. You can also run the main script to run reoad recon

  • cd /roadtools/roadrecon/roadtools/roadrecon
  • python3 main.py -h

2. Display the argument options

  • python3 main.py auth -h

Start enumeration

Authentication

To authenticate use the auth module, this command will authenticate a create a token

  • roadrecon auth -u <azure_username> -p <password>

Gather information

Once authenticated we can proceed to gather information about Azure, it will save the results in a database

  • roadrecon gather

Start GUI

1. After the information has been gather, we can start the GUI

  • roadrecon gui

2. Connect to the GUI visiting http://127.0.0.1:5000/

Users

1. Enumerate users’ information such as username, account type, email, last password change, etc

2. If you click on a user you can verify the Groups, Roles, Owned Objects, Raw data

Groups

You can also enumerate groups and their details such as members and general information

Devices

Enumerate the devices name, status, OS, trust type

Roles

Enumerate rols Principal Name, type, userPrincipalName, status

Applications

Enumerate applications name, multitenant status, home page, authentication, owners

Service Principals

Enumerate Service principals name, type, publisher, status

Applications Roles

Enumerate application roles name, type, application, role, description

OAuth2

Enumerate OAuth2 Approval type, principal name, Source & target application, scope

References

https://github.com/dirkjanm/ROADtools

https://github.com/dirkjanm/ROADtools/wiki/Getting-started-with-ROADrecon